Bulk Certificates

WARNING: This information is part of a limited availability release. Portions of this API may be subject to changes and improvements over time. Fields marked deprecated may be removed in the future and their use is discouraged. For more information, see our product and feature lifecycle descriptions.

Limitations & conditions

The Platform TLS Certificate Deployment Service has the following general limitations:

  • This service is not available for private CDN deployments.
  • To take advantage of this service, you must procure your own certificates from the certification authority (CA) of your choice. Fastly will not procure certificates on your behalf.

In addition, certificates are deployed using the Platform TLS Certificate Service with the following conditions:

  • Certificates hosted using SNI will only be served to browsers that support SNI. Browsers that do not support SNI will not receive the correct certificate for the domain requested.
  • The certificate deployment process takes an average of approximately 20 minutes to complete once a certificate is submitted, but may take as long as an hour.
  • Fastly will automatically choose the certificate delivered for a given request based on the host requested.
  • The certificate with the most specific hostname will be prioritized over certificates with less specific hostnames. For example, on a request for api.example.com, Fastly will prioritize a certificate with a SAN entry for api.example.com over a different certificate with a SAN entry for *.example.com.
  • If an identical hostname appears on more than one certificate, then the most recently uploaded certificate will be used. We recommend that you manage certificates such that hostnames remain unique for them.

Available to Platform TLS customers, these endpoints streamline the upload, deployment and management of large numbers of TLS certificates. A certificate is used to terminate TLS traffic for one or more of your fully qualified domain names (domains). Uploading a new certificate automatically enables TLS for all domains listed as Subject Alternative Names (SAN entries) on the certificate.

Data model

All the domains (including wildcard domains) that are listed in any certificate's Subject Alternative Names (SAN) list.

allow_untrusted_rootbooleanAllow certificates that chain to untrusted roots. [Default false]
cert_blobstringThe PEM-formatted certificate blob. Required.
intermediates_blobstringThe PEM-formatted chain of intermediate blobs. Required.
relationships.tls_configurations.idstringAlphanumeric string identifying a TLS configuration.
relationships.tls_domains.idstringThe domain name.
typestringResource type. [Default tls_bulk_certificate]
created_atstringDate and time in ISO 8601 format. Read-only.
deleted_atstringDate and time in ISO 8601 format. Read-only.
idstringAlphanumeric string identifying a TLS bulk certificate. Read-only.
not_afterstringTime-stamp (GMT) when the certificate will expire. Must be in the future to be used to terminate TLS traffic. Read-only.
not_beforestringTime-stamp (GMT) when the certificate will become valid. Must be in the past to be used to terminate TLS traffic. Read-only.
replacebooleanA recommendation from Fastly indicating the key associated with this certificate is in need of rotation. Read-only.
updated_atstringDate and time in ISO 8601 format. Read-only.


List certificates


Upload a certificate


Get a certificate


Delete a certificate


Update a certificate